SlideShare a Scribd company logo

API Security using Mulesoft

Download as PPTX, PDF
P
Pritam Prakash

It's my API security presentation at Beer, Biryani and Bytes help at Apisero office where I discussed how API can be threats and if not protected how vulnerable are our APIs will be especially to hackers. And has Mulesoft in its box to save your APIs from 'n' number of threats. To know more about API security using Mulesoft. Contact me on LinkedIn.

Technology
1 of 23
Greetings for the Day!
About the Presenter Pritam Prakash, Senior Consultant, Apisero 5 years of Experience in API SLDC October 2019
API Security GAME OF API’s - PART 1
In this meet-up we are gonna discuss about: 1. API Breaches: Who Will Be Next? 2. Understanding API Vulnerabilities 3. Security Auditing 4. What Mulesoft serve for API Security. 5. Securing Your APIs with Mulesoft 6. What we can do about it as developers, testers, architects and security officers.
API attackers are knowing API’s more than you.
Gartner report:
API VULNERABILITIES 1. Man in the Middle 2. CSRF Attack(Cross Site Request Forgery attacks) 3. SQL Injection 4. Distributed Denial of Services(Rate Limiting) 5. HTTPS and SSL Certificates 6. Firewall Optimizations 7. Logs And much more……………………...
How can your RAML or OSA/Swagger can be targeted?
SQL Injections How you thought it to be-: How attackers find a way-: What you not thought to be it was:
Whats a Secure API? A secure API is one that can guarantee the confidentiality of the information it processes by making it visible only to the Users, Apps, and Servers that are authorized to consume it.
Security Auditing
Security Auditing
What Mulesoft serve for API Security. 1. API Gateways -Proxy and Policy Implementation (Policy for every need) 1. Identity Access Management(federated identity standard) 2. Mule Security Manager 3. SSH 4. PGP Security 5. Secrets Manager
Policy Category Fulfills Basic Authentication - LDAP and Simple Security Authentication Client ID Enforcement Compliance Client ID Required CORS Compliance CORS-enabled Header Injection and Removal Transformation Header Injection/Header Removal HTTP Caching Quality of Service HTTP Caching IP Blacklist/IP Whitelist Security IP Filtered JSON Threat Protection Security JSON Threat Protected OAuth 2.0 Access Token Enforcement Using External Provider Policy Security OAuth 2.0 protected OpenAM Access Token Enforcement Security OAuth 2.0 Protected PingFederate Access Token Enforcement Security OAuth 2.0 Protected Rate Limiting Quality of Service Rate Limited Rate Limiting, SLA-Based Quality of Service Rate Limited, Client ID required Spike Control Quality of Service Throttled, Rate Limited XML Threat Protection Security XML Threat Protected Tokenization/Detokenization Security Security JWT Security Security
Analysis at Conclusion ● Discover Your APIs Before Attackers Discover Them ● Use a Combination of API Management and Web Application Firewalls to Protect APIs, in Conjunction With Identity Infrastructure ● Adopt a Continuous Approach to API Security ● Use a Distributed Enforcement Model to Protect APIs Across Your Entire Architecture, Not Just at the Perimeter
Questions?
Game Of Api’s Part-2 ???

Recommended

Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Ricardo Rodríguez
 
Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October
Savannah Cole
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
satyasekhar123
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
akshay yeluru
 

Recommended

Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Mulesoft Meetups - Salesforce & Mulesoft Integrations, Anypoint Security Poli...
Ricardo Rodríguez
 
Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October Raleigh MuleSoft Meetup - October
Raleigh MuleSoft Meetup - October
Savannah Cole
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
satyasekhar123
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
Virtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best PracticesVirtual Meetup - API Security Best Practices
Virtual Meetup - API Security Best Practices
Jimmy Attia
 
Security in mulesoft
Security in mulesoftSecurity in mulesoft
Security in mulesoft
akshay yeluru
 
Secure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterpriseSecure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterprise
MuleSoft
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
CA API Management
 
Object Store V2 Workshop
Object Store V2 WorkshopObject Store V2 Workshop
Object Store V2 Workshop
MuleSoft
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
Designing and building Mule applications
Designing and building Mule applicationsDesigning and building Mule applications
Designing and building Mule applications
MuleSoft
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
pqrs1234
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
 
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
MuleSoft
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
CloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment OptionsCloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment Options
MuleSoft
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
Alexandra N. Martinez
 
Rtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetupRtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetup
Sandeep Deshmukh
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
Apigee | Google Cloud
 
Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10
D.Rajesh Kumar
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 

More Related Content

What's hot

Secure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterpriseSecure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterprise
MuleSoft
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
CA API Management
 
Object Store V2 Workshop
Object Store V2 WorkshopObject Store V2 Workshop
Object Store V2 Workshop
MuleSoft
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
Designing and building Mule applications
Designing and building Mule applicationsDesigning and building Mule applications
Designing and building Mule applications
MuleSoft
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
pqrs1234
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
 
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
MuleSoft
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
CloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment OptionsCloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment Options
MuleSoft
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
Alexandra N. Martinez
 
Rtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetupRtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetup
Sandeep Deshmukh
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
Apigee | Google Cloud
 
Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10
D.Rajesh Kumar
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
 

What's hot (20)

Secure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterpriseSecure by design: Scaling security across the enterprise
Secure by design: Scaling security across the enterprise
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouseapidays LIVE Paris - Principles for API security by Alan Glickenhouse
apidays LIVE Paris - Principles for API security by Alan Glickenhouse
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
Object Store V2 Workshop
Object Store V2 WorkshopObject Store V2 Workshop
Object Store V2 Workshop
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Designing and building Mule applications
Designing and building Mule applicationsDesigning and building Mule applications
Designing and building Mule applications
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
Gluecon 2017: API Modelling Framework - A Toolbox for Interacting With API S...
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
 
CloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment OptionsCloudHub and other Cloud Deployment Options
CloudHub and other Cloud Deployment Options
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
Toronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and ThreatsToronto Virtual Meetup #5 - API Security and Threats
Toronto Virtual Meetup #5 - API Security and Threats
 
Rtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetupRtf externalize tls MuleSoft meetup
Rtf externalize tls MuleSoft meetup
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
 
Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10Bangalore mulesoft meetup#10
Bangalore mulesoft meetup#10
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
 

Similar to API Security using Mulesoft

Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Web API Security
Web API SecurityWeb API Security
Web API Security
Stefaan
 
How Secure is Your API?
How Secure is Your API?How Secure is Your API?
How Secure is Your API?
Mary Joy Sabal
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
Shiu-Fun Poon
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)
Apigee | Google Cloud
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower security
Shiu-Fun Poon
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
WSO2
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
AaronLieberman5
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays
 
How To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdfHow To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdf
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
Apigee | Google Cloud
 
5 Best Practices To Make Your API More Protected Against Attackers.pdf
5 Best Practices To Make Your API More Protected Against Attackers.pdf5 Best Practices To Make Your API More Protected Against Attackers.pdf
5 Best Practices To Make Your API More Protected Against Attackers.pdf
Probely
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
AaronLieberman5
 

Similar to API Security using Mulesoft (20)

Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To Know
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
How Secure is Your API?
How Secure is Your API?How Secure is Your API?
How Secure is Your API?
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)API Security from the DevOps and CSO Perspectives (Webcast)
API Security from the DevOps and CSO Perspectives (Webcast)
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower security
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1
 
What Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API SecurityWhat Hackers Don’t Want You To Know: How to Maximize Your API Security
What Hackers Don’t Want You To Know: How to Maximize Your API Security
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
 
How To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdfHow To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdf
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
5 Best Practices To Make Your API More Protected Against Attackers.pdf
5 Best Practices To Make Your API More Protected Against Attackers.pdf5 Best Practices To Make Your API More Protected Against Attackers.pdf
5 Best Practices To Make Your API More Protected Against Attackers.pdf
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 

Recently uploaded

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 

Recently uploaded (20)

When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 

API Security using Mulesoft

  • 2. About the Presenter Pritam Prakash, Senior Consultant, Apisero 5 years of Experience in API SLDC October 2019
  • 3. API Security GAME OF API’s - PART 1
  • 4. In this meet-up we are gonna discuss about: 1. API Breaches: Who Will Be Next? 2. Understanding API Vulnerabilities 3. Security Auditing 4. What Mulesoft serve for API Security. 5. Securing Your APIs with Mulesoft 6. What we can do about it as developers, testers, architects and security officers.
  • 5. API attackers are knowing API’s more than you.
  • 6.
  • 7.
  • 9. API VULNERABILITIES 1. Man in the Middle 2. CSRF Attack(Cross Site Request Forgery attacks) 3. SQL Injection 4. Distributed Denial of Services(Rate Limiting) 5. HTTPS and SSL Certificates 6. Firewall Optimizations 7. Logs And much more……………………...
  • 10. How can your RAML or OSA/Swagger can be targeted?
  • 11.
  • 12. SQL Injections How you thought it to be-: How attackers find a way-: What you not thought to be it was:
  • 13. Whats a Secure API? A secure API is one that can guarantee the confidentiality of the information it processes by making it visible only to the Users, Apps, and Servers that are authorized to consume it.
  • 16.
  • 17. What Mulesoft serve for API Security. 1. API Gateways -Proxy and Policy Implementation (Policy for every need) 1. Identity Access Management(federated identity standard) 2. Mule Security Manager 3. SSH 4. PGP Security 5. Secrets Manager
  • 18.
  • 19. Policy Category Fulfills Basic Authentication - LDAP and Simple Security Authentication Client ID Enforcement Compliance Client ID Required CORS Compliance CORS-enabled Header Injection and Removal Transformation Header Injection/Header Removal HTTP Caching Quality of Service HTTP Caching IP Blacklist/IP Whitelist Security IP Filtered JSON Threat Protection Security JSON Threat Protected OAuth 2.0 Access Token Enforcement Using External Provider Policy Security OAuth 2.0 protected OpenAM Access Token Enforcement Security OAuth 2.0 Protected PingFederate Access Token Enforcement Security OAuth 2.0 Protected Rate Limiting Quality of Service Rate Limited Rate Limiting, SLA-Based Quality of Service Rate Limited, Client ID required Spike Control Quality of Service Throttled, Rate Limited XML Threat Protection Security XML Threat Protected Tokenization/Detokenization Security Security JWT Security Security
  • 20.
  • 21. Analysis at Conclusion ● Discover Your APIs Before Attackers Discover Them ● Use a Combination of API Management and Web Application Firewalls to Protect APIs, in Conjunction With Identity Infrastructure ● Adopt a Continuous Approach to API Security ● Use a Distributed Enforcement Model to Protect APIs Across Your Entire Architecture, Not Just at the Perimeter
  • 23. Game Of Api’s Part-2 ???